Orangehrm: >> Orangehrm >> 4.10 Security Vulnerabilities
OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter
CVSS Score
5.4
EPSS Score
0.002
Published
2022-04-06
OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-04-06
OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-04-06
OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-04-06